1 



A METHOD AMD A SYSTEM FOR PREVENTING IMPERSONATION OF A 
DATABASE USER 

Field of invention 

The present invention relates to a method and a 
system for preventing an administrator of a relational 
database impersonating a user. 

5 

Background of the invention 

In order to protect information stored in a 
database, it is known to store sensitive data encrypted 
in the database. To access such encrypted data you have 

10 to decrypt it, which could only be done by knowing the 
encryption algorithm and the specific decryption key 
being used. The access to the decryption keys could be 
limited to certain users of the database system, and 
further, different users could be given different access 

15 rights. 

Specifically, it is preferred to use a so-called 
granular security solution for the encryption of 
databases, instead of building walls around servers or 
hard drives. In such a solution, which is described in 

20 the document WO 97/49211 by the same applicant, a 
protective layer of encryption is provided around 
specific sensitive data- items or objects. This prevents 
outside attacks as well as infiltration from within the 
server itself. This also allows the system administrator 

25 to define which data stored in databases are sensitive 

and thereby focusing the protection only on the sensitive 
data, which in turn minimizes the delays or burdens on 
the system that may occur from other bulk encryption 
methods . 

3 0 Most preferably the encryption is made on such a 

basic level as in the column level of the databases. 
Encryption of whole files, tables or databases is not so 
granular, and does thus encrypt even non-sensitive data. 
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It is further possible to assign different encryption 
keys of the same algorithm to different data columns. 
With multiple keys in place, intruders are prevented from 
gaining full access to any database since a different key 
5 could protect each column of encrypted data. 

In the above mentioned solutions the system 
administrator is responsible for setting the user 
permissions. Thus, for a commercial database, the system 
administrator operates through a middle -ware, the access 

10 control system (ACS) , which serve for authentication, 

encryption and decryption. The ACS is tightly coupled to 
the database management system (DBMS) of the database. 
The ACS controls access in real-time to the protected 
elements of the database. 

15 Such a security solution provides separation of the 

duties of a security administrator from a database 
administrator (DBA) . The DBA' s role could for example be 
to perform usual DBA tasks, such as extending tablespaces 
etc, without being able to see (decrypt) sensitive data. 

2 0 The SA could then administer privileges and permissions, 
for instance add or delete users. 

For most commercial databases, the database 
administrator has privileges to access the database and 
perform most functions, such as changing password of the 

2 5 database users, independent of the settings by the system 

administrator. An administrator with root privileges 
could also have full access to the database. This is an 
opening for an attack where the DBA can steal all the 
protected data without any knowledge of the protection 

3 0 system above. The attack is in this case based on that 

the DBA impersonates another user by manipulating that 
users password, even though the user's password is 
enciphered by a hash algorithm. An attack could proceed 
as follows. First the DBA logs in as himself, then the 
3 5 DBA reads the hash value of the users password and stores 
this separately. Preferably the DBA also copies all other 
relevant user data. By these actions the DBA has created 
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a snapshot of the user before any altering. Then the DBA 
executes the command "ALTER USER username IDENTIFIED BY 
newpassword" . The next step is to log in under the user 
name "username" with the password "newpassword" in a new 
5 session. The DBA then resets the user's password and 

other relevant user data with the previously stored hash 
value . 

Thus, it is important to further separate the DBA' s 
and the SA' s privileges. For instance, if services are 

10 outsourced, the owner of the database contents may trust 
a vendor to administer the database. Then the role of the 
DBA belongs to an external person, while the important SA 
role is kept within the company, often at a high 
management level. Thus, there is a need for preventing a 

15 DBA to impersonate a user in a attempt to gain access to 
the contents of the database. 

Object of the invention 

It is therefore an object of the present invention 

2 0 to provide a method and a system for preventing an 

administrator impersonating a user of a relational 
database overcoming the above mentioned problems. 

The object is achieved by a method and a system 
according to the appended claims. 

25 

Summary of the invention 

According to the invention a method for preventing 
an administrator impersonating a user of a relational 
database, which database at least comprises a table with 

3 0 at least a user password, wherein said password is stored 

as a hash value, said method comprises the steps of: 
adding a trigger to said table, said trigger at 
least triggering an action when an administrator alters 
said table through the database management system (DBMS) 
3 5 of said database; 



calculating a new password hash value differing from 
said stored password hash value when said trigger is 
triggered; 

replacing said stored password hash value with said 
5 new password hash value. 

Hereby, a method is provided, which overcomes the 
above mentioned problems. With such a method the database 
administrator (DBA) can not impersonate a user. 
Impersonation means that the DBA steals the identity of 
10 an user, and is able to act in the name of the user, 
preferably while the user is unaware of the 
impersonation. Even though the DBA still can read the 
encrypted password and replace it, the attempt to 
impersonate a user will be detected and measures can be 
15 taken. 

Preferably, the method comprises the further steps 

of: 

calculating a control value of said trigger, such as 
a hash value; and 
2 0 comparing the said trigger at the startup and at 

regular intervals with a recalculated control value. With 
these additional steps the DBA can not even try to modify 
the trigger and thereby manipulate the impersonation 
prevention method. 

2 5 With the method above the intrusion is detected when 

a user tries to log in, since the hash value of the users 
password will not match. In order to detect intrusion 
earlier the method can preferably comprise the further 
step of comparing for each active user having access to 

3 0 sensitive data, the hash value of the current login 

password with the currently stored password hash value, 
whereby said step is performed after every change of the 
database content by said user. 

In one embodiment, the trigger comprises means for 
3 5 reading a log of actions on said database, means for 

identifying commands for altering of user passwords in 
said log and means for identifying which user passwords 
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that have been changed. Preferably the trigger is a 
daemon process . 

Also according to the invention a impersonation 
prevention system for a relational database preventing an 
5 administrator impersonating another user, which database 
at least comprises a table with at least a user password, 
wherein said password is stored as a hash value, said 
system comprises: 

calculation means for calculating a hash value of a 
10 user password; 

trigger means, which trigger at least said 
calculation means for calculation of a new hash value of 
said password when an administrator alters said table 
through the database management system (DBMS) of said 
15 database; and 

replacing means for replacing said stored hash value 
with said new hash value for each triggered calculation. 

Such a system will overcome the risk for a DBA 
impersonating a user with all the advantages as the 
2 0 method previously described. 

Brief description of the drawing 

For exemplifying purposes, the invention will be 
described to embodiments thereof illustrated in the 

2 5 attached drawing, wherein: 

Fig. 1 is a schematic view of a system according to 
the invention; and 

Fig. 2 is a flow-chart illustrating a method 
according to the invention. 
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Description of preferred embodiments 

Referring to fig. 1, a schematic view of the 
components in a granular protection system of a database 
are shown. The central repository of the data is the 

3 5 database. In this case it is a relational database. An 

example of such a database is OracleS®, manufactured and 
sold by Oracle Corporation, USA. The data is stored in 



tables, which are interrelated with each other and the 
tables comprises columns and rows. The database can also 
hold other information such as information about the 
structure of the tables, data types of the data elements, 
5 constraints on contents in columns, user data such as 
password, etc. The database is operated through a 
database management system (DBMS) . A DBMS is imposed upon 
the data to form a logical and structured organization of 
the data. A DBMS lies between the physical storage of 
10 data and the users and handles the interaction between 
the two. 

An user normally does not operate the DBMS directly, 
the user uses an application which in turn operates with 
the DBMS. Maintenance work is performed by a database 

15 administrator (DBA), which connect direct to the DBMS. An 
administrator is a role with certain privileges given to 
a person, i.e. a special kind of user. For instance, the 
privileges can include allowance to add new users or read 
data, and normally the administrator is allowed to 

20 unrestricted use of the database. Thus, an administrator 
is allowed to manipulate data, manage users and other 
operating tasks of a database. A user, in contrast to an 
administrator, is normally only allowed to manipulate the 
actual data in the database, and often only some of the 

25 data. Which data an user can manipulate is regulated by 
the users permissions, which are set by the 
administrator . 

In order to protect the data in the database an 
access control system (ACS) interacts with the DBMS in 

3 0 order to protect data from being exposed to users without 
the necessary rights. The access control system in the 
preferred embodiment could for instance be the 
commercially available system "Secure . Data" , a system 
provided by the applicant. The ACS provide encryption and 

35 decryption of data, authentication of users and provides 
means for the security administrator (SA) to provide 
different users or user groups with different privileges 



to access data. The SA has the role of defining who gains 
access to which data. 

Thus, an user accesses the database through an 
application, which in turn uses the DBMS to access the 
5 database. During the access, the ACS interacts in real 
time with the DBMS to permit or deny the access attempt. 
But, a DBA will always have access to the database. 
However, in order to protect the information for the DBA, 
sensitive data is encrypted by the ACS. But, there is 

10 risk that the DBA would impersonate an user in order to 
gain access to decrypted data. This is as described 
prevented by a system and a method according to the 
invention. Such a system according to a preferred 
embodiment will now be described. 

15 The system provides calculation means for 

calculating a hash value of a user password. The first 
time a user is created by the SA, the SA gives the user a 
user name and a user password. The user name and password 
is stored in the database. In order to not reveal the 

2 0 password to for example a DBA, the password is stored as 
a hash value. The calculation means is preferably 
implemented in the ACS . 

The system further comprises trigger means for 
triggering the calculation means for calculation of a new 

2 5 hash value. The trigger means survey the actions of a 

administrator and triggers an action when the 
administrator attempts to change the password of a user 
through the DBMS. Then the calculation means are 
triggered and a new hash value is calculated. 

3 0 Referring to fig. 2, a preferred embodiment of a 

method according to the invention will now be described. 
Initially, when the SA creates a new user or changes the 
password of a user, the hash value of the password will 
be stored in a table. In a first step SI, a trigger is 
3 5 added to the table where user passwords are stored. The 
trigger triggers an action as soon as a database 
administrator alters the table. Preferably the trigger is 
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implemented in the DBMS data language. The trigger could 
register each occasion an alter is made on the table, and 
preferably separate those alters that concern user 
passwords. Another possibility is to read the log or 
5 cache of the DBMS and search for altering statements. The 
trigger function could be implemented as a daemon 
process . 

In another step, S2 , depending on if a trigger has 
been fired, a new hash value of the same password is 
10 calculated. The new hash value differs from the 

previously stored hash value. This hash algorithm is not 
accessible by the DBA and is preferably executed within 
the ACS. 

Then the new calculated hash value replaces the 
15 stored hash value in a step S3 . 

In another embodiment of the method according to the 
invention the integrity of the trigger is also checked at 
regular intervals. Otherwise, the DBA could deactivate 
the trigger temporarily in order to impersonate a user 
2 0 without being discovered. Therefore a snapshot is 

preferably created of the trigger. This could be done by 
creating a checksum or a hash value of the trigger which 
could be stored separately or in conjunction with the 
trigger. 

2 5 The DBA attack will be discovered either when a user 

logs in or during the attempt. If the hash value of a 
user password is compared with the stored hash value and 
the comparison results in a mismatch, the user will not 
be able to log in. But, preferably after every action by 

30 a user, which has access to sensitive data, the hash 

value of the users login password should be compared with 
the stored password. In that way the DBA attack will be 
discovered sooner. 

The invention has been described above in terms of a 

35 preferred embodiment. However, the scope of this 

invention should not be limited by this embodiment, and 
alternative embodiments of the invention are feasible, as 
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should be appreciated by a person skilled in the art. For 
example, it is not necessary to use a hash algorithm for 
enciphering the password, instead a symmetrical or an 
asymmetrical encryption algorithm could be used. 
5 Such embodiments should be considered to be within 

the scope of the invention, as it is defined by the 
appended claims . 
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